Data Processing Agreement
For enterprise customers and teams operating under GDPR, CCPA, or similar obligations. This DPA describes how TOTPBOX processes personal data on your behalf.
Last updated: March 14, 2026
Architecture note: By design, TOTPBOX processes the minimum personal data possible. Authentication secrets are encrypted client-side and are never accessible to us in plaintext — meaning TOTPBOX acts as a data processor for account metadata only, not for vault contents.
1. Definitions
For the purposes of this Data Processing Agreement ("DPA"):
- "Controller" means the entity that determines the purposes and means of processing personal data (you, the customer)
- "Processor" means TOTPBOX Inc., which processes personal data on behalf of the Controller
- "Personal Data" means any information relating to an identified or identifiable natural person
- "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion
- "Sub-processor" means any third party engaged by TOTPBOX to process Personal Data
- "Data Subject" means any user of the TOTPBOX Service within the Controller's organisation
2. Scope and Nature of Processing
2.1 Categories of Personal Data Processed
TOTPBOX processes the following categories of personal data on behalf of Team plan customers:
- Email addresses of team members
- Account authentication tokens (session data)
- Encrypted vault blobs (ciphertext — content inaccessible to TOTPBOX)
- Usage metadata: feature event timestamps, client version, OS platform
- Billing contact information (name, billing address)
2.2 Categories of Data Subjects
Employees, contractors, or other personnel of the Controller who are provisioned a TOTPBOX Team account.
2.3 Purpose of Processing
TOTPBOX processes Personal Data solely to deliver the Service as described in the Terms of Service: enabling secure authentication management, encrypted vault sync, team access provisioning, and billing.
3. Controller and Processor Obligations
3.1 Controller Obligations
The Controller agrees to:
- Ensure a lawful basis exists for processing Personal Data via TOTPBOX
- Provide appropriate privacy notices to its Data Subjects
- Ensure Personal Data provided to TOTPBOX is accurate and kept up to date
- Comply with applicable data protection laws in its jurisdiction
3.2 TOTPBOX (Processor) Obligations
TOTPBOX agrees to:
- Process Personal Data only on documented instructions from the Controller
- Ensure personnel authorized to process Personal Data are bound by confidentiality
- Implement and maintain appropriate technical and organizational security measures
- Assist the Controller in responding to Data Subject rights requests
- Delete or return all Personal Data upon termination at the Controller's choice
- Make available all information necessary to demonstrate compliance with this DPA
- Notify the Controller without undue delay upon becoming aware of a data breach
4. Sub-processors
TOTPBOX uses the following sub-processors to deliver the Service. All sub-processors are subject to data processing agreements that provide equivalent protections to this DPA.
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing | USA, EU |
| Amazon Web Services | Cloud infrastructure & storage | USA, EU |
| Cloudflare | CDN, DDoS protection, edge | Global |
| Sentry | Error monitoring | USA |
| PostHog (self-hosted) | Product analytics | EU |
We will provide 30 days' advance notice of any changes to our sub-processor list. If you object to a new sub-processor, you may terminate the Service without penalty within the notice period.
5. Security Measures
TOTPBOX implements and maintains the following technical and organizational security measures:
5.1 Technical Measures
- AES-256-GCM encryption of all vault data before transmission
- TLS 1.3 for all data in transit
- AES-256 encryption at rest for all server-side storage
- Multi-factor authentication required for all TOTPBOX staff access to production
- Regular automated vulnerability scanning and annual third-party penetration testing
- Immutable audit logs for all administrative access to production systems
5.2 Organizational Measures
- Role-based access control — production access is need-to-know only
- Security awareness training for all personnel, repeated annually
- Documented incident response plan with defined escalation paths
- Background checks for personnel with access to production infrastructure
6. Data Breach Notification
In the event of a confirmed Personal Data breach, TOTPBOX will notify the Controller without undue delay, and in any event within 72 hours of becoming aware. The notification will include, to the extent available:
- Nature of the breach and categories of data affected
- Approximate number of Data Subjects and records involved
- Likely consequences of the breach
- Measures taken or proposed to address the breach
Given the encrypted-at-source architecture, a breach of TOTPBOX servers exposes only ciphertext — which is not usable without the master key that only the Data Subject holds.
7. Data Subject Rights
TOTPBOX will assist the Controller in fulfilling Data Subject rights requests, including access, rectification, erasure, restriction, portability, and objection. Requests should be directed to dpa@totpbox.com. We will respond within 5 business days.
8. International Transfers
TOTPBOX is headquartered in the United States. For customers in the European Economic Area (EEA), the United Kingdom, or Switzerland, data transfers to our US-based infrastructure are governed by the EU Standard Contractual Clauses (SCCs), incorporated by reference into this DPA. A signed copy of SCCs is available on request.
9. Term and Termination
This DPA remains in force for the duration of the Service agreement. Upon termination, TOTPBOX will, at the Controller's written election, either return all Personal Data in a portable format or securely destroy it within 30 days, and provide written confirmation.
10. Governing Law
This DPA is governed by the law specified in the Terms of Service, except where a different governing law is required by applicable data protection legislation in the Controller's jurisdiction.
11. Contact
For DPA-related enquiries, data protection requests, or to request a signed copy of Standard Contractual Clauses, contact our Data Protection team at dpa@totpbox.com.